DevToolkit

JWT Decoder & Validator

Decode header and payload; optionally verify HS signatures using a secret key.

JWT Token

About This Tool

JWT (JSON Web Token) is a standard for secure token transmission. This tool decodes the header and payload from any JWT. To verify signatures, provide the HMAC secret used to sign the token.

What is JWT (JSON Web Token)?

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and information exchange in modern web applications, APIs, and microservices architectures.

A JWT consists of three parts separated by dots (.): header.payload.signature

  • Header: Contains the token type (JWT) and signing algorithm (e.g., HS256, RS256)
  • Payload: Contains the claims (user data, permissions, expiration time, etc.)
  • Signature: Verifies the token hasn't been tampered with

JWTs are Base64URL encoded, making them URL-safe and easy to transmit in HTTP headers, cookies, or query parameters.

How to Use This JWT Decoder

  1. Copy your JWT token from your application, API response, or browser storage
  2. Paste the token into the input field
  3. The tool instantly decodes and displays the header and payload in formatted JSON
  4. View token expiration time and check if it's still valid
  5. Optionally provide a secret key to verify the signature (HS256 tokens only)

Note: This decoder only validates structure and signature. It doesn't verify claims like issuer, audience, or custom validation rules - that's your application's job.

Common Use Cases

  • Debugging Authentication Issues: Quickly inspect JWT tokens to see what claims and permissions are included, helping debug authorization problems.
  • Checking Token Expiration: View the 'exp' (expiration) claim to see when a token will expire and if it's still valid.
  • API Development: Verify that your API is generating tokens with the correct claims, structure, and signing algorithm.
  • Security Audits: Review JWTs from third-party services to ensure they don't contain sensitive information that shouldn't be in a client-visible token.
  • Learning & Education: Understand how JWTs work by examining real tokens from applications you use.

Understanding JWT Claims

Common standard claims you'll see in JWT payloads:

  • iss (Issuer): Who created the token
  • sub (Subject): Who the token is about (usually user ID)
  • aud (Audience): Who the token is intended for
  • exp (Expiration): When the token expires (Unix timestamp)
  • iat (Issued At): When the token was created
  • nbf (Not Before): Token isn't valid before this time
  • jti (JWT ID): Unique identifier for this token

Plus any custom claims your application adds, like user roles, permissions, email, etc.

Frequently Asked Questions

Q: Is JWT decoding secure? Can you see my tokens?

All decoding happens in your browser using JavaScript. Your JWT tokens NEVER leave your device - nothing is sent to our servers. You can verify this in your browser's network tab or use this tool offline. Your tokens are completely private.

Q: Can I decode a JWT without the secret key?

Yes! JWTs are Base64URL encoded, not encrypted. You can always decode the header and payload to view the data inside. However, you need the secret key (for HS256) or public key (for RS256) to verify the signature and ensure the token hasn't been tampered with.

Q: Why does my JWT show as expired but still works?

Some applications don't enforce expiration strictly, or they use a grace period. However, relying on expired tokens is a security risk. The 'exp' claim is there for a reason - expired tokens should be refreshed.

Q: What's the difference between HS256 and RS256?

HS256 (HMAC with SHA-256) uses a shared secret key for both signing and verification. RS256 (RSA with SHA-256) uses a private key to sign and a public key to verify. RS256 is more secure for public APIs because you can distribute the public key without compromising security.

Q: Can I modify a JWT and re-sign it?

This tool is for decoding only. To modify and re-sign JWTs, you'd need the secret key and server-side tools. Never try to forge JWTs - the signature will be invalid and servers will reject them.

Security Best Practices

  • Always use HTTPS: JWTs should only be transmitted over secure connections
  • Keep tokens short-lived: Use expiration times (exp claim) and refresh tokens
  • Don't store sensitive data: JWTs are not encrypted - anyone can decode them
  • Use strong secrets: For HS256, use cryptographically random keys of sufficient length
  • Validate all claims: Always verify iss, aud, exp, and other claims server-side
  • Use httpOnly cookies: Store JWTs in httpOnly cookies to prevent XSS attacks

Related Tools